Firewall schedules

Firewall schedules

Firewall schedules control when policies are in effect. When you add a security policy on a FortiGate unit you need to set a schedule to determine the time frame in which that the policy will be functioning. While it is not set by default, the normal schedule would be always. This would mean that the policy that has been created is always function and always policing the traffic going through the FortiGate. The time component of the schedule is based on a 24 hour clock notation or military time as some people would say.

There are two types of schedules: One-time schedules and recurring schedules.

One-time schedule object

One-Time schedules are in effect only once for the period of time specified in the schedule. This can be useful for testing to limit how long a policy will be in effect in case it is not removed, or it can be used for isolated events such as a conference where you will only need a temporary infrastructure change for a few days.

The time frame for a One-time schedule is configured by using a start time which includes, Year | Month | Day | Hour | Minute and a Stop time which includes the same variables. So while the frequency of the schedule is only once it can last anywhere from 1 minute to multiple years. Configuring a one-time schedule object in the GUI

  1. Go to Policy & Objects > Schedules.
  2. Select Create New. A drop down menu is displayed. Select Schedule.
  3. From the Type options, choose One-time.
  4. Input a Name for the schedule object.
  5. If you which to add a Color to the icon in the GUI, you can click on the Change link to choose 1 of 32 color options.
  6. Choose a Start Date.

Selecting the field with the mouse will bring up a interactive calendar graphic that will allow the user to select the date. The date can also be typed in using the format YYYY/MM/DD.

  1. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in 24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

  1. Choose an End Date.

Configuration is the same as Start Date.

  1. Choose a Stop Time.

Configuration is the same as Start Time.

  1. Enable/Disable Pre-expiration event log.

This configures the system to create an event log 1 to 100 days before the End Date as a warning in case the schedule needs to be extended.

  1. If the Pre-expiration event log is enabled, set the value for Number of days before.
  2. Press OK.

Example: Firewall schedule – one-time

The company wants to change over their web site image to reference the new year. They have decided to take this opportunity to do some hardware upgrades as well. Their web site is business oriented so they have determined that over New Year’s Eve there will be very limited traffic.

l They are going to need a maintenance window of 2 hours bracketing midnight on New Year’s Eve.

Configuration in the GUI
  1. Go to Policy & Objects > Objects > Schedule.
  2. Select Create New > Schedule.
  3. Fill out the fields with the following information:
Type One-time
Name NewYearsEve_Maintenance
Start Date 2014/12/31 <use the built in calendar>
End Date 2015/01/01 <use the built in calendar>
Start Time Hour: 23, Minute: 0
Stop Time Hour: 1Minute: 0
Pre-expiration event log <disable>
  1. Select OK.

To verify that the schedule was added correctly:

  1. Go to Policy & Objects > Objects > Schedule.
  2. Check that the schedule with the name you used has been added to the list of recurring schedules and that the listed settings are correct.
Configuration in the CLI
  1. Enter the following CLI command:

config firewall schedule onetime edit maintenance_window set start 23:00 2012/12/31 set end 01:00 2013/01/01 next

end

To verify that the schedule was added correctly:

  1. Enter the following CLI command:

config firewall schedule onetime edit <the name of the schedule you wish to verify> show full-configuration

Recurring schedule object

Recurring schedules are in effect repeatedly at specified times of specified days of the week. The Recurring schedule is based on a repeating cycle of the days of the week as opposed to every x days or days of the month. This means that you can configure the schedule to be in effect on Tuesday, Thursday, and Saturday but not every 2 days or on odd numbered days of the month.

If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next.

Configuring a recurring schedule object in the GUI

  1. Go to Policy & Objects > Schedules.
  2. Select Create New. A drop down menu is displayed. Select Schedule.
  3. From the Type options, choose Recurring.
  4. Input a Name for the schedule object.
  5. If you which to add a Color to the icon in the GUI, you can click on the Change link to choose 1 of 32 color options.
  6. From the Days options, choose the day of the week that you would like this schedule to apply to. The schedule will be in effect on the days of the week that have a check mark in the checkbox to the left of the name of the weekday.
  7. If the scheduled time is the whole day, leave the All Day toggle switch enabled. If the schedule is for specific times during the day, disable the All Day toggle switch.
  8. If the All Day option is disabled, choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in 24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

  1. Choose a Stop Time.

Configuration is the same as Start Time.

  1. Press OK.

Because recurring schedules do not work with DENY policies, the strategy when designing a schedule should not be to determine when users cannot access a policy but to build the schedules around when it is possible to access the policy.

Example: Firewall schedule – recurring

The Company wants to allow the use of Facebook by employees, but only during none business hours and the lunch break.

  • The business hours are 9:00 p.m. to 6:00 p.m. l The Lunch break is 12:00 p.m. to 1:00 p.m.
  • The plan is to create a schedule to cover the morning business hours and the afternoon business hours and block access to the Facebook web site during that time.
Configuration in the GUI
  1. Go to Policy & Objects > Objects > Schedule.
  2. Select Create New > Schedule.
  3. Fill out the fields with the following information:
Type Recurring
Name Morning_Business_Hours
Days Monday, Tuesday, Wednesday, Thursday, Friday
Start Time Hour = 9, Minute = 0
Stop Time Hour = 12, Minute = 0
  1. Select OK.
  2. Create a second new schedule.
Type Recurring
Name Morning_Business_Hours
Days Monday, Tuesday, Wednesday, Thursday, Friday
Start Time Hour = 13, Minute = 0
Stop Time Hour = 18, Minute = 0
  1. Select OK.

To verify that the schedule was added correctly:

  1. Go to Policy & Objects > Objects > Schedule.
  2. Check that the schedule with the name you used has been added to the list of recurring schedules and that the listed settings are correct.
Configuration in the CLI
  1. Enter the following CLI command:

config firewall schedule recurring edit Morning_Business_Hours

set day monday tuesday wednesday thursday friday set start 09:00 set end 12:00

end

  1. Enter the following CLI command:

config firewall schedule recurring edit Afternoon_Business_Hours set day monday tuesday wednesday thursday friday set start 13:00 set end 18:00

end

To verify that the schedule was added correctly:

  1. Enter the following CLI command:

config firewall schedule recurring edit <the name of the schedule you wish to verify> show full-configuration

Schedule groups

You can organize multiple firewall schedules into a schedule group to simplify your security policy list. The schedule parameter in the policy configuration does not allow for the entering of multiple schedules into a single policy so if you have a combination of time frames that you want to schedule the policy for then the best approach, rather than making multiple policies is to use a schedule group.

Creating a schedule group object

  1. Go to Policy & Objects > Schedules.
  2. Select Create New. A drop down menu is displayed. Select Schedule Group
  3. Input a Name for the schedule object.
  4. In the Members field, select the “+” to bring forth the panel for selecting entries.
  5. Press OK.

Example

Your Internet policy allows employees to visit Social Media sites from company computers but not during what is considered working hours. The offices are open a few hours before working hours and the doors are not locked until a few hours after official closing so work hours are from 9 to 5 with a lunch break from Noon to 1:00 p.m.

Your approach is to block the traffic between 9 and noon and between 1:00 p.m. and 5:00 p.m. This means you will need two schedules for a single policy and the schedule group handles this for you. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups.

Schedule expiration

The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.

For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.

Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command: set schedule-timeout enable

By default, this option is set to disable.

A few further settings are needed to make this work.

config firewall policy edit ID set firewall-session-dirty check-new end

config system settings set firewall-session-dirty check-policy-option end

Firewall-session-dirty setting

The firewall-session-dirty setting has three options

check-all CPU flushes all current sessions and re-evaluates them. [default]
check-new CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.
check-policy-option Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.